Description
The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.
Remediation
References
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33948
Related Vulnerabilities
CVE-2023-32985 Vulnerability in maven package org.jenkins-ci.plugins:sidebar-link
CVE-2016-4055 Vulnerability in maven package org.fujion.webjars:moment
CVE-2020-6463 Vulnerability in maven package org.webjars.npm:electron
CVE-2019-1003044 Vulnerability in maven package org.jenkins-ci.plugins:slack
CVE-2023-20866 Vulnerability in maven package org.springframework.session:spring-session-core